Magniber Ransomware

Magniber Ransomware might become your worst nightmare if you live in South Korea. Once it infects users’ computers, it copies itself to %TEMP% and then starts working immediately. That is, it encrypts personal files it finds stored on the system mercilessly so that it could obtain money from users easier. Even though this infection targets users from South Korea only, it does not mean that it cannot infiltrate other users’ computers too. Luckily, if the verification fails, i.e., it becomes clear after checking the default language, IP address, date type, and other details that the user lives somewhere else, it removes itself automatically. Specifically speaking, the malicious file deletes itself and, consequently, the encryption of files does not take place. Most likely, you belong to the first group of people, i.e., those living in South Korea if you are reading this article. The first thing we want to tell you is that you are not allowed to pay money to cyber criminals. We know that you need your files back, but you must understand that you risk losing both your money and your files by transferring the required ransom because there are no guarantees that you could unlock the encrypted data after you pay money to them. Because of this, we suggest that you now focus on the Magniber Ransomware removal only. When this harmful infection is gone from your system, you could restore your files. You could only restore your files for free from a backup, so it is a huge problem if you have never backed up the most valuable files.

According to specialists at pcthreat.com, the chances are high that Magniber Ransomware is a new variant of a well-known crypto-threat Cerber Ransomware; however, there is nothing very unique about it because it acts as a typical ransomware infection. Once it infects the computer successfully, it scans the system and finds where files with .mid, .jpg, .doc, .png, .tar, .tpc, .wmv, .wpd, .xlm, .zip, .zw, .vnt, and other popular extensions are located and then encrypts them all without mercy. It is not hard to say which files it has affected because all of them get a new extension .ihsdj (the extension used might change with other versions of Magniber Ransomware). It uses a strong AES-128 cipher to encrypt them, so do not expect to get them back easily. The ransom note READ_ME_FOR_DECRYPT_[random characters]_.txt left for users after the successful encryption of their files tells them how they can decrypt their files. First, users need to download a Tor Browser and use it to launch the .onion link provided. Then, they have to send the ransom of 0.2 BTC (~ 1100 USD) to cyber criminals’ Bitcoin address. Cyber criminals behind Magniber Ransomware promise to give users the private key and decryption program soon after they receive users’ money, but, frankly speaking, nobody knows whether this will really happen, so we cannot let you send money to ransomware developers. In our opinion, you should instead focus on the Magniber Ransomware removal. You cannot let it stay because it has a point of execution in %WINDIR%\System32\Tasks, meaning that it can strike again and lock all new files you create.

No doubt Magniber Ransomware infiltrates users’ computers illegally. According to our malware researchers, the chances are high that it is distributed as Cerber Ransomware. That is, it should be mainly spread through the Magnitude Exploit Kit, they say. You should be careful with spam emails too because ransomware infections are commonly distributed via them. Last but not least, download new software from trustworthy pages only because you might download malware straight onto your PC from corrupted pages. Ransomware infections are quite sneaky threats, so we cannot promise that you could easily prevent them from entering your computer in all the cases. Because of this, you should have a powerful security tool enabled on your system too.

If you are reading this article from the beginning, you should already know that Magniber Ransomware copies itself to %TEMP% and creates a task in %WINDIR%\System32\Tasks. Also, you will find its ransom note in %TEMP% after its successful entrance. You need to delete all its components one by one – you can use our manual removal guide if you need guidance. All the malicious components can be erased automatically too. Unfortunately, an automated malware remover cannot unlock these encrypted files for you either.

Remove Magniber Ransomware

Press Win+E.

Type %TEMP% in the URL bar.

Press Enter.

Locate the malicious file, e.g. ihsdj.exe belonging to the ransomware infection and delete it (if you are not allowed to erase it, open Task Manager and kill the process of Magniber Ransomware).